A security breach at one of India’s largest pharmacy chains allowed outsiders to gain complete control of its platform, exposing customer order data and sensitive drug control functions, TechCrunch has learned exclusively.
The case involved DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of stores across India. Security researcher Eaton Zveare told TechCrunch that he discovered the flaw after identifying links to unsecured “supermaster” programs on the DavaIndia website and privately sharing the information with India’s cybersecurity authorities.
The bug has now been fixed, and Zveare has revealed his findings.
The exposure comes as Zota Healthcare is rapidly scaling DavaIndia Pharmacy’s retail business. The Gujarat-headquartered company operates more than 2,300 DavaIndia stores across India, including 276 new stores announced in January, and plans to add another 1,200 to 1,500 over the next two years.
Zveare told TechCrunch that the flaw was caused by unsecured administrative links, which allowed unauthorized users to create “super admin” accounts with elevated privileges.
With that level of access, an attacker could view thousands of online orders containing customer information, change product listings and prices, create discount coupons, and change settings that govern whether certain medications require a prescription, the researcher said.
Based on system timestamps, Zveare said the vulnerable administrative links appear to have been live since late 2024. Access exposed nearly 17,000 online orders and administrative controls covering 883 stores, he said, allowing for changes in product prices, drug requirements, and promotional discounts. Zveare said the access allowed the editing of website content that could have been used to deface or disrupt.
Pharmacy order data can be very sensitive, as it may reveal information about a person’s health conditions, medications or other private purchases. Disclosure of such data, even without evidence of misuse, carries higher privacy and patient safety risks than other consumer information.
“Customer information was linked to their orders,” Zveare said. “This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and products purchased. Since this is a pharmacy, products purchased may be considered confidential and embarrassing to some people.”
Zveare said he reported the issue to CERT-In, India’s national cyber emergency response agency, in August 2025. The vulnerability was fixed within weeks, although the company’s verification took longer and was given to cyber authorities at the end of November, he said.
Sujit Paul, CEO of Zota Healthcare, did not respond to emails sent by TechCrunch last month. The researcher said there is no indication that the bug was exploited before it was released.
